FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F5.3 2006-02-01T19:43:36Z 2006-02-01T19:43:36Z Colin Percival cperciva@FreeBSD.org 2006-02-01T19:43:36Z urn:sha1:1cdc31cf597dc3b03b8b8434623459b3b5d636e3 Avoid an infinite loop in sack scoreboard processing when the per-hole limits or global scoreboard limits are reached, or when memory exhaustion occurs. This can occur when an existing hole fails to be split due to limits or memory exhaustion. Security: FreeBSD-SA-06:08.sack Approved by: so (cperciva) 2005-06-29T21:46:15Z Simon L. B. Nielsen simon@FreeBSD.org 2005-06-29T21:46:15Z urn:sha1:681614024c4009d84d7c71c44d3fa50779727ef8 Obtained from: Redhat, Steve Grubb via RedHat Security: CAN-2005-0953, CAN-2005-1260 Security: FreeBSD-SA-05:14.bzip2 Approved by: obrien Correct TCP connection stall denial-of-service vulnerabilities. MFC: rev 1.270 of tcp_input.c, rev 1.25 of tcp_seq.h by ps: When a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection. A TCP packets with the SYN flag set is accepted for established connections, allowing an attacker to overwrite certain TCP options. Security: CAN-2005-0356, CAN-2005-2068 Security: FreeBSD-SA-05:15.tcp Approved by: so (cperciva) 2005-05-08T10:23:51Z Colin Percival cperciva@FreeBSD.org 2005-05-08T10:23:51Z urn:sha1:8ce93286c31db22a331d0f2ef850c950a3fc39cd Reported by: Uwe Doering Approved by: so (cperciva) 2005-05-06T02:50:35Z Colin Percival cperciva@FreeBSD.org 2005-05-06T02:50:35Z urn:sha1:9be140854826fbd914b4b3d0ed7ea18551025751 1. Copy a NULL-terminated string into a fixed-length buffer, and 2. copyout that buffer to userland, we really ought to 0. Zero the entire buffer first. Security: FreeBSD-SA-05:08.kmem Approved by: so (cperciva) 2004-10-30T20:50:06Z Robert Watson rwatson@FreeBSD.org 2004-10-30T20:50:06Z urn:sha1:82d4c1675e2d0ff99df2b5ed2fab8c6e74f69cf3 date: 2004/10/30 12:02:50; author: rwatson; state: Exp; lines: +2 -2 Correct a bug in TCP SACK that could result in wedging of the TCP stack under high load: only set function state to loop and continuing sending if there is no data left to send. RELENG_5_3 candidate. Feet provided: Peter Losher <Peter underscore Losher at isc dot org> Diagnosed by: Aniel Hartmeier <daniel at benzedrine dot cx> Submitted by: mohan <mohans at yahoo-inc dot com> Approved by: re (kensmith) 2004-10-26T17:28:36Z Bruce M Simpson bms@FreeBSD.org 2004-10-26T17:28:36Z urn:sha1:ae78dbb3d23f8d7794b14dc4324fb1600dc08273 Check that rt_mask(rt) is non-NULL before dereferencing it, in the RTM_ADD case, thus avoiding a panic. PR: kern/42030 Submitted by: Iasen Kostov Approved by: re@ 2004-10-21T09:30:48Z Robert Watson rwatson@FreeBSD.org 2004-10-21T09:30:48Z urn:sha1:689a28d6610af4c680f8bd5d9c5be33811a50754 raw_cb.c:1.30, raw_usrreq.c:1.35, ddp_pcb.c:1.45, atm_socket.c:1.21, ng_btsocket_hci_raw.c:1.16, ng_btsocket_l2cap.c:1.14, ng_btsocket_l2cap_raw.c:1.13, ng_btsocket_rfcomm.c:1.13, in_pcb.c:1.156, tcp_subr.c:1.205, in6_pcb.c:1.61, ipx_pcb.c:1.29, ipx_usrreq.c:1.41, natm.c:1.35, socketvar.h:1.135 from HEAD to RELENG_5_3: Push acquisition of the accept mutex out of sofree() into the caller (sorele()/sotryfree()): - This permits the caller to acquire the accept mutex before the socket mutex, avoiding sofree() having to drop the socket mutex and re-order, which could lead to races permitting more than one thread to enter sofree() after a socket is ready to be free'd. - This also covers clearing of the so_pcb weak socket reference from the protocol to the socket, preventing races in clearing and evaluation of the reference such that sofree() might be called more than once on the same socket. This appears to close a race I was able to easily trigger by repeatedly opening and resetting TCP connections to a host, in which the tcp_close() code called as a result of the RST raced with the close() of the accepted socket in the user process resulting in simultaneous attempts to de-allocate the same socket. The new locking increases the overhead for operations that may potentially free the socket, so we will want to revise the synchronization strategy here as we normalize the reference counting model for sockets. The use of the accept mutex in freeing of sockets that are not listen sockets is primarily motivated by the potential need to remove the socket from the incomplete connection queue on its parent (listen) socket, so cleaning up the reference model here may allow us to substantially weaken the synchronization requirements. RELENG_5_3 candidate. MFC after: 3 days Reviewed by: dwhite Discussed with: gnn, dwhite, green Reported by: Marc UBM Bocklet <ubm at u-boot-man dot de> Reported by: Vlad <marchenko at gmail dot com> Approved by: re (scottl) 2004-10-14T11:49:25Z Robert Watson rwatson@FreeBSD.org 2004-10-14T11:49:25Z urn:sha1:3cb254ea13f4907abf49399e5184ab092c3bdd90 date: 2004/10/12 20:03:56; author: rwatson; state: Exp; lines: +3 -3 Don't release the udbinfo lock until after the last use of UDP inpcb in udp_input(), since the udbinfo lock is used to prevent removal of the inpcb while in use (i.e., as a form of reference count) in the in-bound path. RELENG_5 candidate. Approved by: re (scottl) 2004-10-14T11:45:26Z Robert Watson rwatson@FreeBSD.org 2004-10-14T11:45:26Z urn:sha1:95b65b8064185a4c1838ab51a96fdee4c4edd28c date: 2004/10/12 16:47:25; author: rwatson; state: Exp; lines: +41 -20 When the access control on creating raw sockets was modified so that processes in jail could create raw sockets, additional access control checks were added to raw IP sockets to limit the ways in which those sockets could be used. Specifically, only the socket option IP_HDRINCL was permitted in rip_ctloutput(). Other socket options were protected by a call to suser(). This change was required to prevent processes in a Jail from modifying system properties such as multicast routing and firewall rule sets. However, it also introduced a regression: processes that create a raw socket with root privilege, but then downgraded credential (i.e., a daemon giving up root, or a setuid process switching back to the real uid) could no longer issue other unprivileged generic IP socket option operations, such as IP_TOS, IP_TTL, and the multicast group membership options, which prevented multicast routing daemons (and some other tools) from operating correctly. This change pushes the access control decision down to the granularity of individual socket options, rather than all socket options, on raw IP sockets. When rip_ctloutput() doesn't implement an option, it will now pass the request directly to in_control() without an access control check. This should restore the functionality of the generic IP socket options for raw sockets in the above-described scenarios, which may be confirmed with the ipsockopt regression test. RELENG_5 candidate. Reviewed by: csjp Approved by: re (scottl) 2004-10-13T22:07:05Z Brian Feldman green@FreeBSD.org 2004-10-13T22:07:05Z urn:sha1:f6ebdf929ca1a8e070555651d7ba096ff6f20907 Approved by: re